Modicon Controllers M241/M251/M258/LMC058/M262

Monitor6.5SEVD-2025-161-02Jun 10, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple input validation and resource handling vulnerabilities in Schneider Electric Modicon Controllers M241, M251, M258, M262, and LMC058. These flaws enable cross-site scripting (XSS) attacks, denial of service through uncontrolled resource consumption, and integrity loss. M241, M251, and M262 have vendor fixes available. M258 and LMC058 have no planned fixes and remain vulnerable in all versions.

What this means

What could happen

An attacker with network access and valid credentials could crash a Modicon controller or consume excessive resources, causing loss of control over automated processes. Cross-site scripting could allow manipulation of web-based interfaces used to monitor or configure the devices.

Who's at risk

Water utilities, power distribution operators, and manufacturing facilities using Modicon M241, M251, M262, M258, or LMC058 controllers. Any site relying on these PLCs for pump control, valve actuation, process automation, or other critical functions is at risk. Organizations using older Schneider Electric micro-PLC and motion control platforms should prioritize assessment.

How it could be exploited

An attacker would need network access to the controller and valid engineering credentials. They could send a specially crafted request to trigger uncontrolled resource consumption (denial of service) or inject malicious scripts into the web interface, potentially disrupting monitoring and control capabilities.

Prerequisites

Network access to the Modicon controller
Valid engineering workstation or administrative credentials
Access to web-based management interface (for XSS attack path)

Remotely exploitableAuthentication required (reduces risk)No patch available for M258 and LMC058Affects programmable logic controllers (critical automation devices)Denial of service could halt operations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (5)

3 with fix2 EOL

ProductAffected VersionsFix Status

Modicon Controllers M241<5.3.12.515.3.12.51

Modicon Controllers M251<5.3.12.515.3.12.51

Modicon Controllers M262<5.3.9.185.3.9.18

Modicon Controllers M258 All versionsAll versionsNo fix (EOL)

Modicon Controllers LMC058 All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict network access to Modicon controllers to only authorized engineering workstations and control systems—block unnecessary inbound connections on the controller's management and communication ports

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Modicon M241 firmware to version 5.3.12.51 or later using EcoStruxure Automation Expert – Motion v24.1 or Machine Expert v2.3

HOTFIXUpdate Modicon M251 firmware to version 5.3.12.51 or later using EcoStruxure Automation Expert – Motion v24.1 or Machine Expert v2.3

HOTFIXUpdate Modicon M262 firmware to version 5.3.9.18 or later using EcoStruxure Automation Expert – Motion v24.1 or Machine Expert v2.3

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Modicon Controllers M258 All versions, Modicon Controllers LMC058 All versions. Apply the following compensating controls:

HARDENINGLimit credential access to engineering workstations; use network segmentation to isolate controllers from untrusted networks and the internet

CVEs (6)

CVE-2025-3898 CVE-2025-3899 CVE-2025-3112 CVE-2025-3905 CVE-2025-3116 CVE-2025-3117

View full Schneider Electric advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a9c942a8-ae85-4b33-906a-9c1a9330283b